HOW TO BUILD A SUCCESSFUL VULNERABILITY 
MANAGEMENT PROGRAM FOR MEDICAL DEVICES 


WHO WE ARE 


Sarah 


B.S. in Telecommunications Systems 
Management 


M.S. in Information Security 


CISSP 


Leader of selection and implementation of 
new vulnerability assessment tool 


Robert 
At HCA for 15 years 


Diverse background in technology and 
information security 


Key team member in implementation and 
use of Qualys 


Our Implementation 
Authorization 


Process for Safe Assessment 


Reporting and Accountability 


CURRENT IMPLEMENTATION 


200 Scanning Appliances 


Appliance assignment based on physical location of divisions 


Rescan environment within 24 hours — Occurs twice a week 


Discover new assets (scan every IP in subscription) weekly 


Data from scans sync to Splunk and to an internally created tool for review 


On the 12th of each month, we snapshot the data and each division gets a high level report of 
the expectations vs actual results 


GOALS FOR NEW VULNERABILITY ASSESSMENT 
PROCESS 
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ASAP for headline vulnerabilities 


Continued scanning of troublesome 
devices 


Improved customer service 


SUPPORT TO DO WHAT WE DO 


Authorized and responsible for scanning 
everything on our network 


Including medical and non-traditional 
devices 


High level of support from upper 
management 


Bonus: Strong relationships with Vendor 
Management leam 


YOU CANT SCAN THIS DEVICE! 


Impacts to devices present as: 


Service locks up 

Reboot necessary 

System locks up entirely 

Major delays in processing jobs 
Resources are heavily impacted 


Usually occurs in devices that are 
misconfigured, outdated, or just not built 
by the vendor properly 


SORRY, BUT NOT SORRY. YES WE CAN! 


Having an impact and an excuse 7 
exclusion from scanning 


If a system was impacted from a 
vulnerability scan, its vulnerable to a 
Denial of Service Attack 
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STEP 1: DID WE CAUSE THE IMPACT? 


Investigation process for 
systems that don't like being 
assessed 


Use dates, times, logs, etc. 
for impact and cause 


Schedule controlled scan 
and monitor for impact 


Use Qualys data for what 
possibly went unresponsive 


QID FOR UNRESPONSIVE SERVICES 


30229 - Service Stopped Responding 


Example: On port 23/TCP 3 consecutive connection attempts failed after a 
total number of 3 successful connections. 


86476 - Web Server Stopped Responding / 86718 - Exhaustive Web Testing 
Skipped 


Example: The web server stopped responding to 4 consecutive HT TP 
requests 2 minutes ago. 


42432 — Possible Scan Interference 


Example: Service name: Unknown - Possible Scan Interference on TCP 
port 443. 


PAUSE: WHAT IF THEY STILL SAY “NO” 
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STEP 2: ARE THERE ANY MORE OF THESE DEVICES 
OUT THERE? 


Get inventory of the systems 
OR 
Fingerprint the host based on: 


Rule Engine 


Asset Search v 


Re-evaluate rule on save 


Open Ports <?xml version="1.8" encoding="UTF-8"?> 


DNS name string 

OS m. TYPE» «/SEARCH TYPE» 
SEARCH TERM» «/SEARCH TERM» 

SSL Header 


Asset Search * Unauthenticated: 
Re-evaluate rule on save 


<?xml version="1.0" encoding="UTF-8"?> : QID 12230 = Default Web 
<ONS_ HOSTNAME Page 
mae * QID 86002 — SSL Certificate — 
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STEP 3: NO MORE IMPACT DURING A SCAN 
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these tags were included in the scan 


excluded in the scan 


OPTION PROFILES AND TAG OVERLOAD 


Standard pecial Case: No Port 10128 Asset Group; includes any known static 
tandard Spe No Port 21 IPs: 


tandard Special Ca No Port 21 23 60 and 443 
Standard „a No Port 22 - Special Case: No Port 


Standard D 'ase: No Port 23 


Logic Fingerprint Tag; to cover any 
additional: 


Standard Special Case: No Port 23 80 443 


Special Case: No Port 6001 6002 and 6003 


Special Case: No Port 7000 and 7100 Ó Special Case: ONI DIA 2 


No port 5004 3012 


Rule Engine 


Asset Search 


Re-evaluate rule on save 


<TAG_CRITERIA> 
<OPERATING_SYSTEM> 
»CONTAINING«/SEARCH TYPE» 
IM»DYMO Printer«/SEARCH TERM» 


TEMPORARY EXCLUSION OVERLOAD 


AFTER ROOT CAUSE ANALYSIS 


Only assess systems in a safe 
manner 


Balance of security vs usability 


Bullds relationships with system 
administrators 


Document every step in detail for 
accountability 


REPORTING AND ACCOUNTABILITY 


Can t handle standard port 
traffic = vulnerable to DOS 


Language for purchase contract 
focuses on maintaining secure 
system 


Depersonalize the result data 


Focus on: We all have the 
same goal 


From Sys Admin Response from Us 
Anger and Frustration 


Understanding and Explanation of Process 


Additional Helpful Information 


Scheduling Test Time 


Willingness to Test Quickly 


Valid Test and Solution 


Satisfaction With Solution and No More Impact 


SUMMARY OF PROCESS 


Get complaint that system went down OR we 
proactively investigate systems that are likely 
having issues 


Add the systems into a temporary exclusion from 
scanning using groups while we continue to 
investigate 


Use the QIDs for service interruption as a starting 
point for ports to exclude from being scanned on 

the systems (and other factors like logs and time/ 
date correlation between impact and us scanning) 


Test under controlled conditions when system is 
stable to verify impact from default settings 


If impact is confirmed as causation, test for 


impact in the modified scan (ports removed) 


If no impact with the scan modifications, we move 
the tagged systems to only be scanned with these 
modifications — Therefore we met the goal of 
continuing to assess a device that has issues 


When possible or needed, we then turn this 
information over to a vendor and encourage 
remediation of the system having an impact from 
being assessed 


QUESTIONS? 


